Thomas Mørch wrote: > > > 2009/3/21 Tom Eastep <[email protected] <mailto:[email protected]>> > > Thomas Mørch wrote: > > > > > > 2009/3/20 Tom Eastep <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> > > > > Thomas Mørch wrote: > > > I just did an hw upgrade on my FW (new cpu, mb etc.) but without > > > reinstall of my debian system. > > > > > > but after my upgrade I can't get access to the internet through > > the fw. > > > > > > 1. I can ping the FW from loc, > > > 2. I can ping net from FW > > > 3. I can't ping loc from FW? (ICMP host unreachable) > > > 4. I can access the apache server running on FW from both > loc and net > > > > Can you do any of these things if you disable Shorewall (shorewall > > clear)? > > > > > > I tried to ping a host on loc, without shorewall loaded (shorewall > > clear), and it worked fine. > > After I started shorewall I get : "From 192.168.2.12 icmp_seq=1 > > Destination Port Unreachable" > > 192.168.2.12 is the firewalls loc ip address. I tried to ping > > 192.168.2.20 on my loc net. > > 192.168.2.20 is not in the loc zone. It is in the stat zone and you have > not enabled ping from fw->stat. > > > stat is defined as a nested zone within loc : > zones: > loc ipv4 > kids:loc ipv4 > voks:loc ipv4 > stat:loc ipv4 > and in hosts it's defined as a "subnet" of loc: > loc eth0:192.168.2.0/24 <http://192.168.2.0/24> > kids eth0:192.168.2.192/26 <http://192.168.2.192/26> > voks eth0:192.168.2.128/26 <http://192.168.2.128/26> > stat eth0:192.168.2.127/25 <http://192.168.2.127/25> > In my policy file I have set the nested zones to CONTINUE : > voks all CONTINUE > kids all CONTINUE > stat all CONTINUE > So I thought that if I have a rule that allows the fw to ping loc, then > it would enable ping to the whole loc network (including voks/kids/stat > zones) > > Is this assumption wrong?
Yes. fw->stat traffic matches none of those CONTINUE policies you would need to add stat all CONTINUE kids all CONTINUE voks all CONTINUE -Tom. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
